On Fri, 23 Aug 2002, Adrian Quek wrote:
> Igor Brezac wrote:
>
> >On Thu, 22 Aug 2002, Scott Moorhouse wrote:
> >
> >
> >
> >>Adrian Quek wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>I've been trying to get Solaris 9 to talk to openldap (2.0.23) on a
> >>>RedHat 7.3 server with TLS and I've managed to get authentication
> >>>working with the native pam_ldap provided by Solaris 9.
> >>>
> >>>
> >>"Me too!" That's my exact situation. But I'm having a different
> >>problem. Not to dilute your thread...
> >>How did you set up your certificates? So far I've done the following
> >>steps, but still can't get it working.
> >>
> >>I've:
> >>1. Set up an internal CA to sign certificates using OpenSSL's tools
> >>2. Generated a certificate for the LDAP server, also using OpenSSL's tools
> >>3. Signed said certificate with my CA, still using OpenSSL's tools
> >>4. Loaded up Netscape 4.7x, fed it my CA's certificate and told it to
> >>trust the certificate to identify sites
> >>5. Copied the .netscape/cert7.db and .netscape/key3.db files to
> >>/var/ldap/ and chmod'd them 444 per the documentation
> >>6. Configured the Solaris LDAP client to use TLS with simple authentication
> >>7. Verified that I am trying to contact the server by the same name
> >>that's recorded as the common name in the certificate
> >>8. Watched the Solaris LDAP client still refuse to initiate a TLS
> >>connection with my server.
> >>
> >>
> I was suspecting that my problem was due to the version of openldap that
> came installed with my RH7.3 server. Thus I did a complete install on a
> Solaris 9 machine and it worked! What I did was to compile openldap with
> the '--with-tls' option, and follow the steps given by Philip Brown
> (http://www.bolthole.com/solaris/LDAP.html) for creating the certs. Not
> sure if this has makes difference, but when accessing your ldap server
> (https://yourldap.server:636) to obtain the certs, I chose to accept
> this certificate forever until expired instead of the default which was
> just once.
>
> >
> >You proly meant to say that the ldap server refused to establish a TLS
> >connection with the solaris 9 ldap client. It seems that the ldap server
> >log can help you to troubleshoot this problem. Try loglevel 264 in
> >slapd.conf. I have not tried this, but I am curious to know if you will
> >make this work.
> >
> >
> >
> I'm curious how to find out what loglevel does what... is there any such
> documentation out there?
>
>From man slapd.conf
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 entry parsing
--
Igor